In a post entitled Applying Security Standards Like ISO 27002 to Compliance Requirements, Mark Tordoff comments on an article by Richard Mackey in SearchSecurity. The gist of both articles is that using a broad standard like ISO 27002 is a sensible approach to security. Further, combining the controls in ISO with the highly specific requirements of PCI DSS 1.1 can help those organizations subject to PCI to achieve compliance.
Absolutely no argument with any of this, but it leads to a broader discussion of how best to relate the controls found in standards like ISO and PCI, and to determine which controls allow an organization to
comply with various requirements in regulations. Mapping of specific, discrete, measurable controls to higher level compliance requirements is still more art than science. It is highly subjective, and it requires a unique depth of understanding of many aspects of IT security, and of the relevant compliance requirements. Then extend the challenge to determining how best to test our actual compliance status. In some cases, there may be “machine data” that can determine whether we’re in compliance, based upon the presence or absence of a given control. Frequently however we will have to develop an assessment question to ask a human being about the control status.
The whole area of mapping regulations, requirements, controls, and assessment questions is a big, big challenge for most organizations. There is some very interesting work being done by a number of vendor organizations in this area, but we are a long way from reaching nirvana in the area of creating relationships between these entities that are useful and easily changeable.
Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University. Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
